Merge pull request #296809 from halkazwini/waf-screenshots

 [BULK] WAF screenshots reduction

Author: Stacyrch140

articles/web-application-firewall/afds/automated-detection-response-with-sentinel.md

@@ -28,7 +28,6 @@ You install a Sentinel playbook named *Block-IPAzureWAF* from a template on GitH
 You install the playbook from a template on GitHub.
 1. Go to the [GitHub repository](https://github.com/Azure/Azure-Network-Security/tree/master/Azure%20WAF/Playbook%20-%20WAF%20Sentinel%20Playbook%20Block%20IP%20-%20New) and select **Deploy to Azure** to launch the template.
 1. Fill in the required parameters. You can get your Front Door ID from the Azure portal. The Front Door ID is the resource ID of the Front Door resource.
-   :::image type="content" source="../media/automated-detection-response-with-sentinel/playbook-template.png" alt-text="Screenshot showing the playbook template.":::
 1. Select **Review + create** and then **Create**.
 
 ## Authorize the API connection
@@ -41,8 +40,6 @@ An API connection named *azuresentinel-Block-IPAzureWAF* is created as part of t
 1. Select **Authorize**.
 1. Select **Save**.
 
-:::image type="content" source="../media/automated-detection-response-with-sentinel/authorize-api.png" alt-text="Screenshot showing the API authorization screen."lightbox="../media/automated-detection-response-with-sentinel/authorize-api.png":::
-
 ## Configure the Contributor role assignment
 
 The playbook must have the necessary permissions to query and modify the existing WAF policy via the REST API.  You can assign the playbook a system-assigned Managed Identity with Contributor permissions on the Front Door resource along with their associated WAF policies. You can assign permissions only if your account has been assigned Owner or User Access Administrator roles to the underlying resource.

articles/web-application-firewall/afds/protect-api-hosted-apim-by-waf.md

@@ -1,5 +1,5 @@
 ---
-title: Protect APIs hosted in APIM using Azure Web Application Firewall with Azure Front Door
+title: Protect APIs hosted in APIM using Azure WAF with Azure Front Door
 description: This article guides you through a process of creating an API in APIM and protects it from a web application attack using Azure Web Application Firewall integrated with Azure Front Door.
 author: halkazwini
 ms.author: halkazwini
@@ -18,28 +18,19 @@ This article describes how to use [Azure Web Application Firewall on Azure Front
 
 ## Create an APIM instance and publish an API in APIM that generates a mock API response
 
-1. Create an APIM instance
-
-   [Quickstart: Create a new Azure API Management service instance by using the Azure portal](../../api-management/get-started-create-service-instance.md)
+1. Create an APIM instance. For more information, see [Quickstart: Create a new Azure API Management service instance by using the Azure portal](../../api-management/get-started-create-service-instance.md).
 
    The following screenshot shows that an APIM instance called **contoso-afd-apim-resource** has been created. It can take up to 30 to 40 minutes to create and activate an API Management service. 
 
    :::image type="content" source="../media/protect-api-hosted-in-apim-by-waf/contoso-main-page.png" alt-text="A screenshot showing the APIM instance created." lightbox="../media/protect-api-hosted-in-apim-by-waf/contoso-main-page.png":::
 
 
-2. Create an API and generate mock API responses
-   
-   [Tutorial: Mock API responses](../../api-management/mock-api-responses.md#add-an-operation-to-the-test-api)
+2. Create an API and generate mock API responses. For more information, see [Tutorial: Mock API responses](../../api-management/mock-api-responses.md#add-an-operation-to-the-test-api).
 
    Replace the name of API from **Test API** given in the above tutorial with **Book API**.
 
    The Book API does a GET operation for `_/test_` as the URL path for the API. You can see the response for the API is set as **200 OK** with content type as application/json with text as `{“Book”:” $100”}`.
 
-   :::image type="content" source="../media/protect-api-hosted-in-apim-by-waf/apim-get-test.png" alt-text="A screenshot showing the GET operation defined in APIM." lightbox="../media/protect-api-hosted-in-apim-by-waf/apim-get-test.png":::
-
-   :::image type="content" source="../media/protect-api-hosted-in-apim-by-waf/apim-200-ok.png" alt-text="A screenshot showing the mock response created." lightbox="../media/protect-api-hosted-in-apim-by-waf/apim-200-ok.png":::
-
-
 3. Deselect **Subscription required** check box under the API settings tab and select **Save**.
 
 4. Test the mock responses from the APIM interface. You should receive a **200 OK** response.
@@ -85,34 +76,24 @@ Requests routed through the Front Door include headers specific to your Front Do
 
 1. Copy the Front Door ID from the AFD overview page.
 
-   :::image type="content" source="../media/protect-api-hosted-in-apim-by-waf/afd-endpoint-fd-id.png" alt-text="A screenshot showing the AFD ID." lightbox="../media/protect-api-hosted-in-apim-by-waf/afd-endpoint-fd-id.png":::
-
-
 2. Access the APIM API page, select the Book API, select **Design** and **All operations**.  In the Inbound policy, select **+ Add policy**.
 
    :::image type="content" source="../media/protect-api-hosted-in-apim-by-waf/apim-inbound-policy.png" alt-text="A screenshot showing how to add an inbound policy." lightbox="../media/protect-api-hosted-in-apim-by-waf/apim-inbound-policy.png":::
 
 3. Select Other policies
 
-   :::image type="content" source="../media/protect-api-hosted-in-apim-by-waf/apim-other-policies.png" alt-text="A screenshot showing other policies selected." lightbox="../media/protect-api-hosted-in-apim-by-waf/apim-other-policies.png":::
-
 4. Select “Show snippets" and select **Check HTTP header**.
 
-   :::image type="content" source="../media/protect-api-hosted-in-apim-by-waf/apim-check-http-header.png" alt-text="A screenshot showing check header selected." lightbox="../media/protect-api-hosted-in-apim-by-waf/apim-check-http-header.png":::
-
    Add the following code to the inbound policy for HTTP header `X-Azure-FDID`. Replace the `{FrontDoorId}`  with the AFD ID copied in the first step of this section.
 
-
    ```
    <check-header name="X-Azure-FDID" failed-check-httpcode="403" failed-check-error-message="Invalid request" ignore-case="false">
         <value>{FrontDoorId}</value>
    </check-header>
 
    ```
 
-   :::image type="content" source="../media/protect-api-hosted-in-apim-by-waf/apim-final-check-header.png" alt-text="A screenshot showing the final policy configuration." lightbox="../media/protect-api-hosted-in-apim-by-waf/apim-final-check-header.png":::
-
-   Select **Save**.
+5. Select **Save**.
 
    At this point, APIM access is restricted to the Azure Front Door endpoint only.
 
@@ -128,8 +109,6 @@ Requests routed through the Front Door include headers specific to your Front Do
 
 4. Select **bookwafpolicy** and verify that the **bookwafpolicy** has Managed rules provisioned. The latest versions of Microsoft_DefaultRueSet and Microsoft_BotManagerRuleSet is provisioned which protects the origin against OWASP top 10 vulnerabilities and malicious bot attacks.
 
-   :::image type="content" source="../media/protect-api-hosted-in-apim-by-waf/book-waf-policy.png" alt-text="A screenshot showing the WAF policy for managed rules." lightbox="../media/protect-api-hosted-in-apim-by-waf/book-waf-policy.png":::
-
 At this point, the end-to-end call is set up, and the API is protected by Azure Web Application Firewall.
 
 ## Verify the setup

articles/web-application-firewall/afds/protect-azure-open-ai.md

@@ -22,16 +22,14 @@ If you don't have an Azure subscription, create a [free account](https://azure.m
 
 
 ## Create Azure OpenAI instance using the gpt-35-turbo model
-First, create an OpenAI instance.
 
+First, create an OpenAI instance.
 
 1. Create an Azure OpenAI instance and deploy a gpt-35-turbo model using [Create and deploy an Azure OpenAI Service resource](/azure/ai-services/openai/how-to/create-resource).
 1. Identify the Azure OpenAI endpoint and the API key.
 
    Open the Azure OpenAI service in the Azure AI Foundry portal and open the **Chat** option under **Playground**.
    Use the **View code** option to display the endpoint and the API key.
-   :::image type="content" source="../media/protect-azure-open-ai/view-code.png" alt-text="Screenshot showing the Azure AI Foundry portal Chat playground." lightbox="../media/protect-azure-open-ai/view-code.png":::
-   <br>
 
    :::image type="content" source="../media/protect-azure-open-ai/sample-code.png" alt-text="Screenshot showing Azure OpenAI sample code with Endpoint and Key.":::
 
@@ -51,9 +49,8 @@ First, create an OpenAI instance.
    }
 
    ```
-   :::image type="content" source="../media/protect-azure-open-ai/post-body.png" alt-text="Screenshot showing the post body." lightbox="../media/protect-azure-open-ai/post-body.png":::
-1. In response to the POST, you should receive a *200 OK*:
-   :::image type="content" source="../media/protect-azure-open-ai/post-200-ok.png" alt-text="Screenshot showing the POST 200 OK." lightbox="../media/protect-azure-open-ai/post-200-ok.png":::
+
+1. In response to the POST, you should receive a *200 OK*.
 
    The Azure OpenAI also generates a response using the GPT model.
 
@@ -73,17 +70,18 @@ Now use the Azure portal to create an Azure Front Door instance with Azure WAF.
 
 Enable the WAF policy in prevention mode and ensure **Microsoft_DefaultRuleSet_2.1** and **Microsoft_BotManagerRuleSet_1.0** are enabled.
 
-:::image type="content" source="../media/protect-azure-open-ai/web-application-firewall-policy.png" alt-text="Screenshot showing a WAF policy." lightbox="../media/protect-azure-open-ai/web-application-firewall-policy.png":::
-
 ## Verify access to Azure OpenAI via Azure Front Door endpoint
 
 Now verify your Azure Front Door endpoint.
 
 1. Retrieve the Azure Front Door endpoint from the Front Door Manager.
 
    :::image type="content" source="../media/protect-azure-open-ai/front-door-endpoint.png" alt-text="Screenshot showing the Azure Front Door endpoint." lightbox="../media/protect-azure-open-ai/front-door-endpoint.png":::
+
 2. Use your favorite API test method, such as [Visual Studio](/aspnet/core/test/http-files) or [Insomnia](https://insomnia.rest/) to send a POST request to the Azure Front Door endpoint.
-   1. Replace the Azure OpenAI endpoint with the AFD endpoint in the POST request.
+
+3. Replace the Azure OpenAI endpoint with the AFD endpoint in the POST request.
+
    :::image type="content" source="../media/protect-azure-open-ai/test-final.png" alt-text="Screenshot showing the final POST." lightbox="../media/protect-azure-open-ai/test-final.png":::
 
    Azure OpenAI also generates a response using the GPT model.

articles/web-application-firewall/afds/waf-front-door-create-portal.md

@@ -48,8 +48,6 @@ First, create a basic WAF policy with the managed Default Rule Set (DRS) by usin
     | ---                     | ---                                                |
     | Front door profile              | Select your Azure Front Door profile name. |
     | Domains          | Select the domains you want to associate the WAF policy to and then select **Add**. |
-
-    :::image type="content" source="../media/waf-front-door-create-portal/associate-profile.png" alt-text="Screenshot that shows the Associate a Front door profile page.":::
 
     > [!NOTE]
     > If the domain is associated to a WAF policy, it's shown as grayed out. You must first remove the domain from the associated policy and then re-associate the domain to a new WAF policy.
@@ -75,16 +73,14 @@ To create a custom rule, under the **Custom rules** section, select **Add custom
 
 The following example shows how to configure a custom rule to block a request if the query string contains **blockme**.
 
-:::image type="content" source="../media/waf-front-door-create-portal/customquerystring2.png" alt-text="Screenshot that shows the custom rule configuration page showing settings for a rule that checks whether the QueryString variable contains the value blockme.":::
+:::image type="content" source="../media/waf-front-door-create-portal/customquerystring2.png" alt-text="Screenshot that shows how to add a custom rule.":::
 
 ### Default Rule Set
 
 The Azure-managed Default Rule Set is enabled by default for the Premium and Classic tiers of Azure Front Door. The current DRS for the Premium tier of Azure Front Door is Microsoft_DefaultRuleSet_2.1. Microsoft_DefaultRuleSet_1.1 is the current DRS for the Classic tier of Azure Front Door. On the **Managed rules** page, select **Assign** to assign a different DRS.
 
 To disable an individual rule, select the checkbox in front of the rule number and select **Disable** at the top of the page. To change action types for individual rules within the rule set, select the checkbox in front of the rule number and select **Change action** at the top of the page.
 
-:::image type="content" source="../media/waf-front-door-create-portal/managed-rules.png" alt-text="Screenshot that shows the Managed rules page showing a rule set, rule groups, rules, and Enable, Disable, and Change Action buttons." lightbox="../media/waf-front-door-create-portal/managed-rules.png":::
-
 > [!NOTE]
 > Managed rules are only supported in the Azure Front Door Premium tier and Azure Front Door Classic tier policies.
 
@@ -95,5 +91,4 @@ When no longer needed, delete the resource group and all related resources.
 ## Next steps
 
 > [!div class="nextstepaction"]
-> - [Learn more about Azure Front Door](../../frontdoor/front-door-overview.md)
-> - [Learn more about Azure Front Door tiers](../../frontdoor/standard-premium/tier-comparison.md)
+> [Learn more about Azure Front Door tiers](../../frontdoor/standard-premium/tier-comparison.md)

articles/web-application-firewall/afds/waf-front-door-exclusion-configure.md

@@ -32,12 +32,8 @@ You decide to create an exclusion to allow these legitimate requests to pass thr
 
 1. Select **Managed rules** > **Manage exclusions**.
 
-   :::image type="content" source="../media/waf-front-door-exclusion-configure/managed-rules-exclusion.png" alt-text="Screenshot that shows the Azure portal showing the WAF policy's Managed rules page, with the Manage exclusions button highlighted." :::
-
 1. Select **Add**.
 
-   :::image type="content" source="../media/waf-front-door-exclusion-configure/exclusion-add.png" alt-text="Screenshot that shows the Azure portal with the exclusion list Add button." :::
-
 1. Configure the exclusion's **Applies to** section:
 
    | Field | Value |

articles/web-application-firewall/afds/waf-front-door-monitor.md

@@ -54,20 +54,16 @@ The Azure Front Door WAF provides detailed reporting on each request and each th
 
 Logs aren't enabled by default. You must explicitly enable logs. You can configure logs in the Azure portal by using the **Diagnostic settings** tab.
 
-:::image type="content" source="../media/waf-frontdoor-monitor/waf-diagnostic-setting.png" alt-text="Screenshot that shows how to enable the WAF logs." lightbox="../media/waf-frontdoor-monitor/waf-diagnostic-setting.png":::
-
 If logging is enabled and a WAF rule is triggered, any matching patterns are logged in plain text to help you analyze and debug the WAF policy behavior. You can use exclusions to fine-tune rules and exclude any data that you want to be excluded from the logs. For more information, see [Web application firewall exclusion lists in Azure Front Door](../afds/waf-front-door-exclusion.md).
 
 You can enable three types of Azure Front Door logs: 
 
-
 - WAF logs
 - Access logs
 - Health probe logs
 
 Activity logs are enabled by default and provide visibility into the operations performed on your Azure resources, such as configuration changes to your Azure Front Door profile.
 
-
 ### WAF logs
 
 ::: zone pivot="front-door-standard-premium"
@@ -188,6 +184,6 @@ The following snippet shows an example log entry, including the reason that the
 
 For more information about the other Azure Front Door logs, see [Monitor metrics and logs in Azure Front Door](../../frontdoor/front-door-diagnostics.md#logs).
 
-## Next steps
+## Next step
 
 Learn more about [Azure Front Door](../../frontdoor/front-door-overview.md).

articles/web-application-firewall/afds/waf-front-door-rate-limit-configure.md

@@ -35,20 +35,12 @@ You decide to create a rate-limit rule that restricts each source IP address to
 
 1. In the Azure portal, select **Create a resource**.
 
-   :::image type="content" source="../media/waf-front-door-rate-limit-configure/create-resource.png" alt-text="Screenshot that shows the Create a resource button on the home page." :::
-
 1. Search for **Front Door**, and select **Front Door and CDN profiles**.
 
-   :::image type="content" source="../media/waf-front-door-rate-limit-configure/create-front-door.png" alt-text="Screenshot that shows the marketplace, with Front Door highlighted." :::
-
 1. Select **Create**.
 
-   :::image type="content" source="../media/waf-front-door-rate-limit-configure/create-front-door-2.png" alt-text="Screenshot that shows Front Door and CDN profiles, with the Create button highlighted." :::
-
 1. Select **Continue to create a Front Door** to use the *quick create* portal creation process.
 
-   :::image type="content" source="../media/waf-front-door-rate-limit-configure/quick-create.png" alt-text="Screenshot that shows the Azure Front Door offerings, with the Quick create option selected and the Continue to create a Front Door button highlighted." :::
-
 1. Enter the information required on the **Basics** page:
 
    - **Resource group**: Select an existing resource group, or create a new resource group for the Azure Front Door and WAF resources.
@@ -63,12 +55,8 @@ You decide to create a rate-limit rule that restricts each source IP address to
 
 1. Enter the name of a WAF policy and select **Create**.
 
-   :::image type="content" source="../media/waf-front-door-rate-limit-configure/waf-policy-create.png" alt-text="Screenshot that shows the WAF policy creation prompt, with the Create button highlighted." :::
-
 1. Select **Review + create** > **Create**.
 
-   :::image type="content" source="../media/waf-front-door-rate-limit-configure/front-door-create.png" alt-text="Screenshot that shows the completed Azure Front Door profile configuration." :::
-
 1. After the deployment is finished, select **Go to resource**.
 
 ## Create a rate-limit rule

articles/web-application-firewall/afds/waf-front-door-tuning.md

@@ -313,8 +313,6 @@ Disabling a rule is a global setting that applies to all front-end hosts associa
 
 If you want to use Azure PowerShell to disable a managed rule, see the [`PSAzureManagedRuleOverride`](/powershell/module/az.frontdoor/new-azfrontdoorwafmanagedruleoverrideobject) object documentation. If you want to use the Azure CLI, see the [`az network front-door waf-policy managed-rules override`](/cli/azure/network/front-door/waf-policy/managed-rules/override) documentation.
 
-![Screenshot that shows WAF rules.](../media/waf-front-door-tuning/waf-rules.png)
-
 > [!TIP]
 > Document any changes you make to your WAF policy. Include example requests to illustrate the false positive detection. Explain why you added a custom rule, disabled a rule or rule set, or added an exception. If you redesign your application in the future, you might need to verify that your changes are still valid. Or you might be audited or need to justify why you reconfigured the WAF policy from its default settings.
 

articles/web-application-firewall/ag/application-gateway-waf-metrics.md

@@ -21,8 +21,6 @@ WAF with Application Gateway log is integrated with [Azure Monitor](/azure/azure
 
 WAF with Application Gateway provides detailed reporting on each threat it detects. Logging is integrated with Azure Diagnostics logs and alerts are recorded in a json format. These logs can be integrated with [Azure Monitor logs](/previous-versions/azure/azure-monitor/insights/azure-networking-analytics).
 
-![WAFDiag](../media/waf-appgateway-metrics/waf-appgateway-diagnostic.png)
-
 For more information about diagnostics logs, see [Application Gateway WAF resource logs](../ag/web-application-firewall-logs.md).  If logging is enabled and a WAF rule is triggered, any matching patterns are logged in plain text to help you analyze and debug the WAF policy behavior. You can use exclusions to fine tune rules and exclude any data that you want to be excluded from the logs. For more information, see [Web application firewall exclusion lists in Azure Application Gateway](../ag/application-gateway-waf-configuration.md).